Using the VPN
A single, personal VPN profile gives you secure access to the internal networks of every plant you are authorized for — install it once and reach inverters, data loggers, and control-cabinet PCs as if you were on site. This guide walks you through issuing your profile, connecting, managing your routes, and rotating or revoking when needed. For how the VPN works under the hood, see VPN.
Where it lives
Everything below happens on your Profile page under the VPN tab. Open in Mirox — then choose the VPN tab (Profile menu ▸ Profile ▸ VPN).
Before You Start
- You need permission on at least one plant. The certificate alone reaches nothing — only the plants your permissions grant become routable.
- Install a WireGuard client on your device (desktop or mobile). You will import a configuration file into it.
- A plant becomes reachable once it has a Mirox-Agent connection and configured subnets. Until then its route shows as unreachable and goes live automatically when the agent comes up.
Issue Your Personal VPN Profile
You can hold exactly one personal VPN certificate at a time.
- Open your Profile and select the VPN tab.
- Click Issue cert.
- Your WireGuard configuration file (
.conf) downloads to your device automatically.
The config is shown exactly once
The configuration file contains your private key, which is generated on your device and never stored in the cloud. It is delivered to you a single time, on issue (and again on rotation). Save it somewhere safe immediately. If you lose it, you must rotate to get a new one.
Install the Configuration in WireGuard
- Open your WireGuard client.
- Import the downloaded
.conffile (on desktop: Import tunnel(s) from file; on mobile: scan or import the file). - Activate the tunnel.
Once the tunnel is up, you can address the plant networks you have access to directly — web interfaces of inverters, tracker controllers, data loggers and control-cabinet PCs, SSH to service devices, Modbus/TCP diagnostics, or any of your own tools that talk to the plant infrastructure.
Confirm the right config is active
On the VPN tab, the Manage VPN certificate card shows your current public key. It should match the public key your WireGuard client reports for the active tunnel. If they differ, your .conf is stale — rotate and re-download.
Reach the Plants You Are Authorized For
The Reachable subnets card lists every plant subnet your current permissions open, grouped by organization, portfolio, and plant. The list is derived automatically — there is nothing to add by hand.
- A new permission, a new plant, or a newly configured subnet appears here on its own.
- When a permission is removed (a role change, an ended cooperation, a deleted plant), the route disappears automatically and any open connection drops at the next sync.
- Use the search box and the portfolio/plant filters to find a specific subnet quickly.
Each row shows a Status:
| Status | Meaning |
|---|---|
| active | The subnet is routed and reachable through your tunnel right now |
| conflict | Two or more plants you can reach use the same local subnet — see below |
| unreachable | No agent peer is provisioned for this plant yet; the route goes live automatically once it is |
If your route set changes and you want to pull the latest immediately, click Refresh.
Resolve a Conflicting Subnet
When two plants you can reach use the same local range (for example both on 192.168.1.0/24), your tunnel cannot route the range to both at once. Conflicting subnets are listed first so you can deal with them right away, and the losing rows are highlighted.
To choose which plant owns the range for you:
- In the Reachable subnets card, find the highlighted conflict rows for the subnet.
- Click the row for the plant you want to reach.
- Confirm Use this park in the dialog.
Traffic to that subnet is now tunneled to the plant you picked. The other plants claiming the same range stay attached to your VPN but stop resolving that subnet until you switch back. Repeat the switch whenever you need to reach a different plant on the same range.
One range, one destination at a time
A conflict is not an error — it just means you have to tell the platform which plant wins for that overlapping range. Switching the winner is instant and reversible.
Review Your Connections
The Recent connections card is your self-transparency view of your own certificate:
- When each session started and how long it lasted (the live tunnel shows Online).
- The geographic location and source IP address of the connection.
- The data volume transferred per session.
See a connection you don't recognize?
If a session looks unfamiliar, rotate your certificate immediately (see below). This view shows only your certificate's activity — the full, legally compliant access audit for a plant is held separately by the plant's operator organization. See Access Audit Logging.
Rotate or Revoke Your Certificate
Both actions live in the red Manage VPN certificate card at the bottom of the VPN tab.
Rotate
Use rotate when you switch devices or suspect your key was exposed. It replaces your key set without removing the certificate.
- Click Rotate cert.
- Confirm Rotate & download.
- The new
.confdownloads once — save it and re-import it into WireGuard.
Your old key stops working at the next sync, so the previous tunnel disconnects. Your routes and session history are kept.
Revoke
Use revoke when you no longer need VPN access at all.
- Click Revoke cert.
- Confirm Revoke.
You are disconnected immediately, and the certificate, its routes, and your session history are removed. You can always issue a fresh certificate later.
When to Use the VPN
The personal VPN is the right tool when you need to use arbitrary tools productively against devices across several plants. If you only need to open a single device's web interface, the Proxy is faster — no client to install, straight from the browser. For organization-wide or plant-hosted tunnels managed centrally rather than per person, see Configuring VPN Servers per Agent (Direct VPN). The full comparison of all remote-access flavours lives in the VPN feature distinction table.
Related Guides
- Using the Proxy — open a device's web interface from the browser with no VPN client
- Configuring VPN Servers per Agent (Direct VPN) — central, per-agent plant tunnels
- VPN — how the personal VPN works and what it delivers
- Access Audit Logging — the operator-side audit trail of all VPN access
- Permission System — controls which plants your certificate can reach